Skip to main content

BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11050)

Abstract

A Webview embeds a fully-fledged browser in a mobile application and allows that application to expose a custom interface to JavaScript code. This is a popular technique to build so-called hybrid applications, but it circumvents the usual security model of the browser: any malicious JavaScript code injected into the Webview gains access to the custom interface and can use it to manipulate the device or exfiltrate sensitive data. In this paper, we present an approach to systematically evaluate the possible impact of code injection attacks against Webviews using static information flow analysis. Our key idea is that we can make reasoning about JavaScript semantics unnecessary by instrumenting the application with a model of possible attacker behavior—the BabelView. We evaluate our approach on 25,000 apps from various Android marketplaces, finding 10,808 potential vulnerabilities in 4,997 apps. Taken together, the apps reported as problematic have over 3 billion installations worldwide. We manually validate a random sample of 50 apps and estimate that our fully automated analysis achieves a precision of 81% at a recall of 89%.

Keywords

  • Webview
  • Javascript interface
  • Injection
  • Static analysis

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-00470-5_2
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-00470-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.

Notes

  1. 1.

    The annotation was introduced in API level 17 to address a security vulnerability that allowed attackers to execute arbitrary code via the Java reflection API [19].

  2. 2.

    https://github.com/ClaudioRizzo/BabelView.

  3. 3.

    https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/.

  4. 4.

    https://developer.android.com/studio/test/monkey.html.

  5. 5.

    https://www.bettercap.org.

References

  1. Allix, K., Bissyandé, T.F., Klein, J., Traon, Y.L.: Androzoo: collecting millions of Android apps for the research community. In: Proceedings of 13th International Conference on Mining Software Repositories (MSR), pp. 468–471. ACM (2016)

    Google Scholar 

  2. Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: ACM SIGPLAN Conference Programming Language Design and Implementation (PLDI), pp. 259–269. ACM (2014)

    Google Scholar 

  3. Ball, T., et al.: Thorough static analysis of device drivers. In: Proceedings of 2006 EuroSys Conference, pp. 73–85. ACM (2006)

    Google Scholar 

  4. Bhavani, A.B.: Cross-site scripting attacks on Android WebView. CoRR abs/1304.7451 (2013)

    Google Scholar 

  5. Brucker, A.D., Herzberg, M.: On the static analysis of hybrid mobile apps. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 72–88. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30806-7_5

    CrossRef  Google Scholar 

  6. Chin, E., Wagner, D.: Bifocals: analyzing WebView vulnerabilities in Android applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 138–159. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05149-9_9

    CrossRef  Google Scholar 

  7. Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why eve and mallory love Android: an analysis of Android SSL (in)security. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 50–61. ACM (2012)

    Google Scholar 

  8. Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Annual Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  9. Hassanshahi, B., Jia, Y., Yap, R.H.C., Saxena, P., Liang, Z.: Web-to-application injection attacks on Android: characterization and detection. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 577–598. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_29

    CrossRef  Google Scholar 

  10. Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on HTML5-based mobile apps: characterization, detection and mitigation. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 66–77. ACM (2014)

    Google Scholar 

  11. Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-based mobile applications in Android. In: Desmedt, Y. (ed.) ISC 2013. LNCS, vol. 7807, pp. 309–318. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27659-5_22

    CrossRef  Google Scholar 

  12. Kinder, J., Veith, H.: Precise static analysis of untrusted driver binaries. In: Proceedings of 10th International Conference on Formal Methods in Computer-Aided Design (FMCAD), pp. 43–50 (2010)

    Google Scholar 

  13. Lee, S., Dolby, J., Ryu, S.: HybriDroid: static analysis framework for Android hybrid applications. In: Proc. IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 250–261. ACM (2016)

    Google Scholar 

  14. Li, T., et al.: Unleashing the walking dead: understanding cross-app remote infections on mobile WebViews. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2017)

    Google Scholar 

  15. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android system. In: Annual Computer Security Applications Conference (ACSAC), pp. 343–352. ACM (2011)

    Google Scholar 

  16. Luo, T., Jin, X., Ananthanarayanan, A., Du, W.: Touchjacking attacks on Web in Android, iOS, and Windows phone. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 227–243. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37119-6_15

    CrossRef  Google Scholar 

  17. Mutchler, P., Doupé, A., Mitchell, J., Kruegel, C., Vigna, G.: A large-scale study of mobile web app security. In: Proceedings of IEEE Symposium on Security and Privacy Workshops (SPW), Mobile Security Technologies (MoST). IEEE (2015)

    Google Scholar 

  18. Mutchler, P., Safaei, Y., Doupé, A., Mitchell, J.C.: Target fragmentation in Android apps. In: Proceedings of IEEE Symposium on Security and Privacy Workshops (SPW), Mobile Security Technologies (MoST), pp. 204–213. IEEE (2016)

    Google Scholar 

  19. MWR InfoSecurity: WebView addJavascriptInterface remote code execution, September 2013. https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/

  20. Neugschwandtner, M., Lindorfer, M., Platzer, C.: A view to a kill: WebView exploitation. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2013)

    Google Scholar 

  21. Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: HybridGuard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications. In: Proceedings of IEEE Symposium on Security and Privacy Workshops (SPW), Mobile Security Technologies (MoST) (2017)

    Google Scholar 

  22. Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing Android sources and sinks. In: Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2014)

    Google Scholar 

  23. Shehab, M., Jarrah, A.A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Proceedings of International Workshop on Mobile Development Lifecycle (MobileDeLi), pp. 1–8. ACM (2014)

    Google Scholar 

  24. Thomas, D.R.: The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface (transcript of discussion). In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 139–144. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26096-9_14

    CrossRef  Google Scholar 

  25. Thomas, D.R., Beresford, A.R., Rice, A.C.: Security metrics for the Android ecosystem. In: Proceedings of ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 87–98. ACM (2015)

    Google Scholar 

  26. Tuncay, G.S., Demetriou, S., Gunter, C.A.: Draco: a system for uniform and fine-grained access control for web code on Android. In: Proceedings ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 104–115. ACM (2016)

    Google Scholar 

  27. Vallée-Rai, R. Co, P., Gagnon, E., Hendren, L.J., Lam, P., Sundaresan, V.: Soot - a Java bytecode optimization framework. In: Proceedings of Conference on Centre for Advanced Studies on Collaborative Research (CASCON), p. 13 (1999)

    Google Scholar 

  28. Wu, D., Liu, X., Xu, J., Lo, D., Gao, D.: Measuring the declared SDK versions and their consistency with API calls in Android apps. In: Ma, L., Khreishah, A., Zhang, Y., Yan, M. (eds.) WASA 2017. LNCS, vol. 10251, pp. 678–690. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60033-8_58

    CrossRef  Google Scholar 

  29. Yang, G., Huang, J., Gu, G.: Automated generation of event-oriented exploits in Android hybrid apps. In: Annual Network and Distributed System Security Symposium (NDSS) (2018)

    Google Scholar 

  30. Yang, G., Huang, J., Gu, G., Mendoza, A.: Study and mitigation of origin stripping vulnerabilities in hybrid-postmessage enabled mobile applications. In: Proceedings of IEEE Symposium on Security and Privacy (S&P) (2018)

    Google Scholar 

  31. Yang, G., Mendoza, A., Zhang, J., Gu, G.: Precisely and scalably vetting JavaScript bridge in Android hybrid apps. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017, pp. 143–166. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_7

    CrossRef  Google Scholar 

Download references

Acknowledgement

We would like to thank our shepherd, Angelos Stavrou, and the anonymous reviewers for their valuable feedback. We are grateful to Roberto Jordaney, Blake Loring, Duncan Mitchell, James Patrick-Evans, Feargus Pendlebury, and Versha Prakash for their help and their comments on earlier drafts of this paper. This work was in part supported by EPSRC grant EP/L022710/1 and a Google Faculty Award.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Claudio Rizzo , Lorenzo Cavallaro or Johannes Kinder .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Rizzo, C., Cavallaro, L., Kinder, J. (2018). BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)